Heartland breaks the nine-figure data-breach barrier
The 2006 Veteran's Administration breach will always hold a special place in our hearts for targeting a population who deserved much better protection, and the TJX breach of 2007 will live forever in the legends of security professionals who can't fathom how the security-light retailer managed to stay in business after such a heaping helping of incompetence, but the newly revealed hole at Heartland Payment Systems gets some special price for sheer scope of theft. Even the head of the company isn't sure, but the company handles over 100 million transactions every month.
The company does know what was not compromised, according to a release this morning: merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), consumer addresses or telephone numbers; Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. And they really knew how to kick off the damage-control effort: Announce when all eyes are on the inauguration, and pick up a URL for their breach-info site that emphasizes the year the breach apparently occurred (2008) rather than the year it was revealed (2009).
But what we don't know is apt to keep forensic folk (and maybe lawyers) digging for weeks. For instance, how long was the data-stealing malware resident on Heartland systems? The company has been working with the Secret Service and the Department of Justice to figure out what's happened, and suggests that a global criminal ring may be implicated; anyone we've heard of? And -- the $64 question, and probably worth much more depending on the answer -- is this just some VA-style mess where the breach actually resulted in no identity-theft or fraud issues for individuals, or more like TJX, where sleazy people did sleazy things with the stolen data?